In our previous Russian darknet focused blog post, we discussed some of the tools and techniques the Russians were discussing and using in offensive cyber operations against US and international organizations. Russian criminals are also notorious for selling malicious software, e.g. digital goods, on darknet marketplaces that could be used in an attack against government and corporate networks and infrastructure, e-mail lists for phishing, along with a myriad of illegal drugs and counterfeit.

Coincidently, the RAMP marketplace, active since September 2012, shut down around the same time as international authorities conducted Operation Bayonet, shutting down key centralized Tor marketplaces Alphabay and Hansa, amid concerns about possible law-enforcement’s use of denial of service attacks to expose the real IP address of the marketplace.

What Happened to the RAMP Community?

Similar to the after effects of shutting down AlphaBay and Hansa, the RAMP marketplace closure caused little disturbance to the Russian segment of darknet cryptomarkets. RAMP vendors successfully shifted to other key marketplaces while a hidden service called Consortium attempted to create an “ex-RAMP Verified Vendor Community” specifically for reconnecting with known verified RAMP vendors. DarkOwl Vision has successfully archived over 9,000 results from Consortium’s hidden service domains. Consortium was formed in late 2017 shortly after the RAMP marketplace closure, and active through May 2018. The Consortium hidden service featured 15,000 users, including more than 100 verified RAMP dealers who confirmed their identity with a PGP key. This archive provides an excellent investigative referential database for prominent darknet vendors and their aliases.

DarkOwl Vision Screenshot from Consortium Hidden Service Archive

When RAMP disappeared, legendary Russian marketplace, Hydra witnessed an increase in user registrations and vendor activity while and near clone of RAMP, called MEGA surfaced only earlier this year.

Hydra prefers serious Russian drug vendors, only allowing sellers who are willing to pay “rent” for their shops and requiring a monthly payment of over $100 USD for use of the service. This reduces the likelihood of vendors who are actually scammers or law enforcement utilizing the site for entrapment and exploitation.

Offers of Mobile SIM and Debit Cards on Hydra (source)http://hydra23qk4ar6ycs[.]onion)

MEGA Landing Page (http://megammpxznehakhm[.]onion)

MEGA has a wide range of illicit drug offerings in their market catalog including items ranging from marijuana to opiates with delivery across the Eastern Slavic language countries of Russia, Ukraine, and Belarus. Similar to other anonymous centralized markets, MEGA also supports vendors selling digital goods such as databases, carding and counterfeit related products, and ready to use hacking software. MEGA features a hidden service layout very similar to RAMP, with over 200 links to unique vendor shops from the landing page and many of the same drug vendors that once traded on RAMP also advertise on MEGA.

For example, one drug vendor on MEGA who uses the moniker, Aeroflot openly states in their MEGA vendor profile that they were also active on RAMP. Cross referencing the nickname against DarkOwl Vision revealed that Aeroflot also has their own personal vendor Tor hidden service where they offer popular drugs such as amphetamines, hashish, and psychedelic mushrooms directly without the marketplace interface. The Aeroflot vendor shop was first indexed by DarkOwl Vision in January 2018.

Surprisingly, there is little information on the surface web about Russia’s MEGA marketplace, as most open source darknet cryptomarket reporting features Hydra instead. Despite this, MEGA also has a Clearnet proxy of their site via the website URL http://www.mega2web.com.

Both MEGA and Hydra hidden services emphasize trusted vendor-buyer relationships before the market will facilitate the crypto-transaction and goods exchange. For example, on Hydra, before an order from the buyer is processed, the vendor and buyer must communicate and trust each other. The market even offers a “transaction chat” platform to communicate securely about the order. The classical process for browsing, selecting, and ordering a product on the platform are used to communicate to the vendor that you intend to buy from them, referred to on Hydra as a “reservation.” The vendor’s confirmation and order approval are required before payment for the item is disbursed and shipping commences. This approach theoretically reduces the likelihood of scamming and law enforcement operations.

Hydra’s formidable return after such a large-scale joint-international law enforcement effort seizure and vendors trading on the RAMP clone-MEGA reinforces theories that shutting down darknet markets only yield a mild, temporary deterrent effect on the affected darknet community and does not have near the impact the media conveys. This supports arguments from social scientists, Décary-Hétu and Giommoni in October 2016 after analytical review of the effectiveness of police crackdowns on cryptomarkets where they stated:

In Darknet Forums that Include Marketplace Features

Wayaway Russian Forum (http://wayawaytcl3k66fl.onion/)

There are a number of Russian-specific forums and bulletin boards across the Darknet. DarknetMarkets.co advertises Russia’s Wayaway forum as one of the oldest darknet marketplace, available since 2009, while the Tor hidden service title translates to “First Drug Forum.” Unlike centralized markets, Wayaway presents contents in a bulletin board layout with a range of topics, mostly drug-trafficking in nature, such as Shipping in Russia, Trade with CIS(Commonwealth of Independent States)Countries, Jobs, and Laboratory, where questions regarding home-based personal drug manufacturing are answered. Coincidentally, Hydra is listed as a Wayaway Partner on the forum’s footer along with Hydra logos, market links, and various digital advertising scattered across the forum. Wayaway serves also a gateway to Russian darknet drug vendors with a large section of the forum dedicated to connecting site visitors with individual drug vendors (i.e. “Trusted Stores in Russia”) including customer feedback and a question and answer section on transacting and shipping related concerns.

Wayaway topics have thousands of views and hundreds of comments indicating the forum serves as a high-volume resource for the Russian Tor community. Many of the most active users on Wayaway also trade in other drug and illegal goods forums on Tor.

Another popular Russian forum and marketplace on Tor is RuTor. RuTor has been an active Tor hidden service since 2015 and has quickly established itself as a reliable information resource for Russian hacking, darknet education, and project collaboration. RuTor’s landing page has several distracting advertisements at the top of the site similar to the previously popular RAMP marketplace.

RuTor Russian Forum (http://rutorzzmfflzllk5[.]onion)

Utilizing a bulletin board format similar to Wayaway, RuTor has established sections for Vendor Shop Fronts, Security, and News. The cryptomarket portion of RuTor is tightly controlled by the site administrator who must be contacted before submitting a deposit in a user’s market wallet. Most centralized marketplaces have an automated system for all market crypto-wallet deposits and withdrawals. RuTor has extensive threads covering cybersecurity related news, corporate data breaches, and technical tips and techniques for network infiltration and tracking.

Runion Darknet Forum (http://lwplxqzvmgu43uff[.]onion)

“Protecting the interests and rights of your paranoia” is another key Russian darknet forum, Runion, or the Russian Onion Union. Runion does not have the marketplace focus, but instead covers a wide range of darknet criminal specific topics such as Operational Security, Cryptocurrencies, Weapons, Finance and Law, Breaking and entering, Psychology, Hacking as well as Substances and Health. Example threads include in-depth technical conversations around potential Telegram hacking techniques, Dismantling and Shooting an RPG-22, and modifying smartphones for increased telecommunications security.

Administered by one who goes by Zed, Runion lists over 69,000 members, almost 20,000 topics, and over 300,000 messages posted on their forum since 2012. The nickname Zed is active across other hidden services, specifically moderating other well-known Tor carding forums.

Intelligent Hidden Services

The Russian darknet marketplaces and forums featured in this article have had a persistent Tor presence for several years and many include intelligent bot-detection code to prevent automation collection of their content. Captchas, formally known as Completely Automated Public Turing test to tell Computers and Humans Apart, are often present on many of the hidden services to detect if the website user is human or not. DarkOwl Vision’s authenticated crawl routine specifically targets services containing high value intelligence with such authentication protocols. In order to successfully view the content of a hidden service that includes such bot-detection methods with Professional Tools, search the domain along with the search pod, “GROUPS->AUTHENTICATED SITES” to reduce result noise.

On January 9, the KickAss Forum went offline. On Twitter, user @bitsdigit initially reported that the site was seized by law enforcement, but then said the seizure was not a legitimate notice (remarking that “something is very fishy”) and warned others to stay clear. Though the URL in the initial @bitsdigit reporting correlates to an older KickAss hidden service URL, DarkOwl confirmed the two most recent onion v3 KickAss URLs are indeed down, but do not display the Seized Hidden Service Banner.

On January 7, KickAss moderators started the thread, “KICKASS TOR VERSION 3 URLS”, announcing deactivation of the old v2 hidden service addresses and new v3 URLs would be circulating “for security reasons” - perhaps due to recent publicity relating to forum member TheDarkOverlord. Shortly after, the login page for KickAss changed to PRIVATE, with instructions for members to message a Jabber address using Off-The-Record (OTR) for continued access.

Screenshots from DarkOwl Vision from January 2019, listing new KickAss URLs.

Screenshot from DarkOwl Vision from January 2019, with Jabber contact.

However, according to historical records of the forum in DarkOwl Vision, the ka_apps@jabber.calyxinstitute.org Jabber account from a few days ago does not match Jabber accounts KickAss moderators have ever mentioned. Additionally, an announcement thread from November 2018, captured by DarkOwl Vision, stated that KickAss staff only uses OMEMO for end-to-end encryption, as OTR is not “save” [sic] anymore.

Screenshot from DarkOwl Vision from November 2018, mentioning that Kickass staff only use OMEMO, not OTR.

Given the abrupt private state of the forum days before it disappeared and use of OTR instead of OMEMO, it seems likely Law Enforcement has seized the KickAss forum, and the Jabber account with OTR was a phishing attempt to garner information about its active members. In the past, Law Enforcement have taken over hidden services and impersonated its moderators in attempt to get information about the sites’ members. Dutch police studied the logs of the real admins of Hansa for weeks and even operated the illegal marketplace, throwing the darknet community into chaos in 2017.

One thing that is consistent on the darknet is that hidden services come and go. On Thursday, members of Torum, another popular Tor-based cybersecurity forum, discuss the disappearance of KickAss and the importance of making the most of what’s online while it’s online.

Screenshot of Torum discussion about the KickAss forum disappearance.

DarkOwl will continue to follow this story and report updates as they are available.

This Week, 6,500 Hidden Services were Ousted from the Darknet

The name Daniel Winzen may not mean much to the ordinary internet user, but on the darknet @daniel is the legendary nickname for the individual known for offering free anonymous web hosting, chat, e-mail, and XMPP/Jabber services on Tor for the last 5 years and perhaps longer. He started out humbly - installing a small number of Tor-based hidden services, or websites, on a Raspberry PI 2 - but over the years expanded his presence to hosting upwards of 7,000 hidden services per month for darknet users across Tor and I2P. That is, until last week.

Shortly after 10:00pm UTC on the 15th of November 2018, Daniel Winzen’s server was breached, databases accessed, and accounts deleted, including the root, or administrator account, rendering his services unusable. In less than three hours, the intruders deleted SQL databases for his chat, onion-link list, and hit counter. Hackers initially accessed the main phpMyAdmin and adminer panels using the correct hosting management password, inferring the password may have been harvested via phishing attempt or the server was accessed by someone with access to Daniel’s credentials. Daniel’s popular GitHub account also experienced a failed login for his popular software repository on November 9th, which has not been determined as related as of yet.

Daniel’s updates on his portal indicates that this hack was a “database only” breach.

Other than the root account, no accounts unrelated to the hosting were touched and unrelated files in /home/ weren’t touched either. As of now there is no indication of further system access and I would classify this as a “database only” breach, with no direct access to the system. From the logs it is evident that both, adminer and phpmyadmin have been used to run queries on the database. 

According to updates posted to his surface net and darknet portal, Winzen is thoroughly investigating all potential vulnerabilities in his server before restoring services. He has also listed concern over a 0-day exploit, released exactly one day before the attack, in the imap_open() function of PHP that he has since patched.

30% of Online Domains Disappeared Overnight

Over 30% of the operational and active hidden services across Tor and I2P disappeared with the hack of Daniel’s Hosting Services and over 6-Million documents archived in DarkOwl Vision are no longer available on the darknet.

DarkOwl quantified the impact to the size of the darknet, specifically Tor, using its internal “Map the Dark” reporting, which includes statistics from darknet websites indexed over the previous 24-hour period. Our data substantiates the hosting provider’s offline status, with a delta of 4,887 domains going offline between the 15th and 16th of November. DarkOwl has indexed the archives of 5,300 domains from early November and has assessed them to be services that were formerly hosted on Daniel’s server.

Daniel’s previous online-link list advertised that he hosted over 1,500 private hidden services whose domain URLs are unknown at this time. DarkOwl’s estimated total number of domains hosted by Daniel are consistent with the 6,500 offline domains quoted by Daniel on his server portal.

657 of the hidden services have only title “Site Hosted by Daniel’s Hosting Service” and contain no meaningful content worth mentioning. Darknet hidden service domain could have been used for something other than serving web content.

Over 4,900 of the hacked domains are in English and 54 are Russian-language hidden services. Two of the oldest hidden services are interestingly in the Portuguese language.

Figure 2: Graph model showing Daniel’s main Tor domain and all the subdomains

Daniel’s hosting service, chatroom and online-link list have served as a pillar for the darknet community for years. For example, his online-link list is referenced by nearly 500 other hidden services, making it the second most commonly referred to directory listing (behind Fresh Onions) and providing a foundational starting point for new users navigating Tor.

Given that his services were provided free of charge and generally reliable against attack, there are mixed theories as to who could have wanted to destroy this mainstay of the anonymous online community.

Are Russian Hackers Responsible?

In recent weeks, Russian hackers on a website called www.antichat.com, outlined the technical details of exploiting PHP’s imap_open() function to extract password hashes for privileged accounts, as an alternative to brute force mining. Then, on Thursday (the same day as the attack), antichat.com forum staff member “Big Bear” posted a MEGA.nz link including a PDF, titled, “[RCE] 0-day в imap/c-client на примере PHP” (in English: [RCE] 0-day in imap / c-client using the example of PHP) detailing the imap_open exploit. The same post identifies the authors by the nicknames crlf and Twost, the latter of whom is also known as “Aleksandr.”

DarkOwl Vision shows darknet mentions of the alias Twost dating back to 2016.

The Anti Child-Exploitation Community

Daniel’s darknet notoriety increased in 2016 when he ported Lucky Eddy’s perl-CGI LE-Chat script into PHP with mySQL or PostgreSQL backend, optimizing the environment for Tor and decreasing the darknet community’s reliance on Javascript, thus allowing for image sharing inside a chat platform (which is not available via XMPP and IRC) without potentially compromising posters’ identities. As a result, Daniel’s LE-Chat code became a popular platform for the darknet pedophilia community, and the home for many well-known Child Pornography sharing chatrooms such as Tabooless, Camp Fire, and Child Priori.

Individual “pedo-hunters” and anti-pedophilia groups have called for hacking Daniel’s services using large-scale distributed denial of service (DDoS) campaigns, specifically because it was rumored that the principal administrator and some key staff members were active in pedophilia-specific chats.

Figure 3: Anonymous post suggesting the hack was motivated by an anti-pedophilia agenda

A Potential Law Enforcement Operation

Daniel’s Chat quietly resurfaced this past Saturday with a clean install and backup from early 2017, accompanied by a flurry of confusion over the assignments of administrator, moderators, and members. Without the comforting presence of the “regular” member database and credentials, users had no way to verify that anyone was who they said they were. Many legitimately feared that popular nicknames of members and staff had been spoofed by trolls trying to capture access to the members-only chat. One user on the darknet social media site Galaxy3 stated that @daniel re-installed the chat and that it “sounded like him,” although with a caveat that everyone should be cautious.

At the same time, others theorized the extreme possibility that @daniel had actually been arrested and the take-down was led by international law enforcement or the German police. Daniel’s hidden services experienced extreme DDoS in the weeks preceding the hack, similar to other law enforcement-led darknet seizure operations.

Anti-Syntax Club or an Inside Job

For over a year, the nickname Syntax has been referenced with either extreme love or extreme hate. Hundreds of trolls have posted across forums and paste sites about how this purportedly 17-year-old female teenager is responsible for taking down a number of pedophilia chatrooms and community leaders in recent years. Since early this fall, there has been an increase in the number of anti-Syntax trolls repeatedly calling for attacks against Daniel’s services, more specifically Syntax and her ally ChatTor, since she was promoted to Super Moderator of Daniel’s popular and drama-filled chatroom during the summer and accused of abusing the position.

Other members have suggested the remote possibility the attack on Daniel’s was led by Syntax and ChatTor so that they could take administrative control of the chatroom, although a recent image capture from ChatTor states that it was simply about being at the right place at the right time.

Looking forward

While the darknet is ever-changing, DarkOwl Vision has the most recent information to support darknet network analytics and capture changes to hidden services. DarkOwl analysts continue to monitor and will publish updates as more information is uncovered.

International media recently highlighted the perils of Russian government sponsored cyber espionage operations against US elections in 2016, and the potential risks to the upcoming US midterm election this week.

With increasing concern over the validity of the US election process, DarkOwl analysts decided a review of Russia’s footprint across the darknet could provide insight on how operations on this scale are conducted.

By the Numbers

Russia-based anonymous websites comprise over 36% of the DARKINT™ collected by DarkOwl. DarkOwl has successfully indexed over 300 million pages across anonymous and deep web networks in the Eastern Slavic language of Russian. Russian hacking and carding forums accessible from the surface web account for 92% of the deep web content in DarkOwl’s Vision.

There are significantly more Russian hidden services in Tor than sites on i2p or Zeronet, suggesting Russian darknet users prefer Tor over i2p. Russian-language eepsites account for only 10% of the i2p content archived in DarkOwl Vision. Russian activity on the anonymous network, Zeronet is negligible.

What we know the Russians have been involved in…

Enter “Russian hacking” into any surface web search engine and you will undoubtedly receive millions of results about Russia’s malicious cyber operations ranging to undermining the US democratic election process through to targeting of the US utility grid. Most recent indictments highlighted charges against seven Russian intelligence officers with hacking anti-doping agencies who used sophisticated equipment to target the organizations’ wireless (wi-fi) network. (Source)

When you dig into the shadows of forums and chatrooms accessible only via the darknet, only security researchers and law enforcement are actively chatting and posting about vulnerabilities to critical US systems and infrastructure. In order to discover clues about what the Russians might be up to, one would need the keywords associated with the technical specifics of the tools and techniques required to carry out such sophisticated operations.

Reports regarding the recent Word Anti-Doping Agencies (WADA) hacks stated the Russians employed a wireless network sniffing device installed in the back of the operatives’s car for access to the WADA networks . The hackers also used a mixture of malware including Gamefish, X-tunnel, and Chopstick code, the majority of which have been seen before and used on other Russian-linked cyberattacks. (Source)

Figure 2: Russian forum discusses how to use such a device to intercept passwords for wi-fi networks

(DarkOwl Vision Doc ID: 536bb1af90f7d52b28430510685c1b51)

As evident by recent attacks against US thinktanks, the Hudson Institute and the International Republican Institute, the Russians are well known for their employment of targeted spear-phishing campaigns based upon a thorough reconnaissance and well-orchestrated intelligence collection operation prior to any network subversion. Spear-phishing is a type of hacking based on social engineering, similar to email phishing, but directed towards a specific individual or entity within a network or organization. A leaked NSA document revealed how offensive cyber officers from Russia in 2016 sent election officials emails with a MS Word attachment that was infected with a trojan of a Visual Basic script that would launch a program opening communications back to the hackers’ IP address.

Figure 3: Detailed Tactics, Techniques and Procedures Used by the Russians to Target US Election Officials in 2016 (courtesy of The Intercept) (Read more)

The sheer volume of compromised email credentials posted for sale in Russian marketplaces and shared on authenticated hacking forums is alarming. 103 .gov email results in DarkOwl Vision contain the phrase “election” in their domain address (*@election*.gov) and could provide a valid starting point for any of the specific state election servers.

Figure 4: Advertisement of database with 458 Million Emails and Passwords for Sale in DarkOwl Vision

Figure 6: Discussion of how to use SQLMap against a target network on a Russian forum

(DarkOwl Vision Doc ID: 53e19c5fbe5c7d9c6e625e668d660617)

For the past few years, millions of US voter registration data with full names, address, and voting data have appeared on offer for sale on darknet hacking forums and marketplaces. DarkOwl has observed data from over 30 states ranging from $250 to $5000 USD per state including: Colorado, Ohio, Connecticut, Florida, Michigan, North Carolina, New York, Pennsylvania, Rhode Island, Washington, Kansas, Wyoming, Oklahoma, Maryland, Arkansas, Nevada, Montana, Louisiana, Delaware, Iowa, Utah, Oregon, South Carolina, Wisconsin, Georgia, New Mexico, Minnesota, Kentucky, Idaho, Tennessee, South Dakota, Mississippi, West Virginia, Alabama, Alaska, and Texas.

Many of the posted state databases are older, i.e. Alabama and Alaska’s voter registration information is from 2015; however, many of these databases were on offer back on the infamous Alphabay darknet marketplace in 2016 as well.

Figure 8: A recent offer for several US State’s Voter Lists for sale as archived by DarkOwl Vision

(DarkOwl Vision Doc ID: cfae62df845b99fc173c42bd3b529303)

In recent weeks, comments from the vendor suggests that the voting records hacker has setup persistent access to the states’ databases, posting, “Besides data is refreshed each Monday of every week, once you request the data from me you will receive the freshest possible data from that state.” The fact this data is on the darknet is no surprise, as it is publicly available, open source information. It is a surprise anyone would actually pay for access to the information they could easily obtain themselves. Links to some of the state’s databases have appeared on some darknet forums as is, without any access payment required.

The hacker on the forum identifies themselves as a white male software engineer from the United Kingdom and “apathetic human-being” with other information that could be easily pivoted to the surface web. There is no indication he is affiliated with Russian government sponsored hackers.

Russia-affiliated threat actors and hackers, whether lone wolf or operatives of a major government-led cyber offensive, have more than sufficient tools and resources across the deep web and darknet to successfully exploit and profit from network and/or server vulnerabilities. Utilizing commercially available penetration testing resources and exploits circulated and sold on the darknet, hackers regularly infiltrate networks while completely evading detection or knowledge of the system’s administrators. Next time we will review some of the Russia-specific marketplaces and forums where these attack techniques are planned and coordinated.

Curious about something you've read on our blog? Want to learn more? Please reach out. We're more than happy to have a conversation.

TheDarkOverlord has resurfaced on Kickass Forum

TheDarkOverLord announces that they are officially back in business (Source)

TheDarkOverlord, one of the threat actors that DarkOwl analysts routinely monitor, has apparently resurfaced last week. In a recent series of posts, an entity claiming to be TheDarkOverlord is advertising a database of personal health information as well as user information taken from an unnamed gaming site - both of which are being offered for sale to willing buyers.

TheDarkOverlord claims to have hacked “several medical practices”

In the post (pictured below), TheDarkOverlord advertises that they have over 67,000 patient records for sale, stolen from medical and dental practices in California, Missouri, and New York.

The forum listing advertises that these databases include personal and health information including full names, physical addresses, phone numbers, DOBs, driver’s license numbers, SSNs, medical histories, and much more. A specific price point was not provided; rather, the prices are “negotiable.” Interested buyers were instructed to send TheDarkOverlord an encrypted message using the forum’s private messaging system.

TheDarkOverlord also states that they’d be willing to entertain higher offers for data that “no one else will have,” giving the potential transaction a level of exclusivity that will likely attract a certain type of buyer and grab even more public interest.

Screenshot of TheDarkOverlord posting about medical records on Kickass Forum

Also for sale: a stolen database from a gaming website

On the same day, TheDarkOverlord posted a listing on the same Kickass Forum’s marketplace for 131,000 records from an “unnamed gaming website.” As advertised, these records include users’ email addresses, passwords, DOBs, IP addresses, and much more.

So far, it would appear that TheDarkOverlord is taking serious inquiries only. For example, in the comment section for the post below, someone asked for the name of the gaming website in questions, and TheDarkOverlord responded that they would like “proof of funds and intent to purchase” before disclosing any additional information.